Top Voting Machine Company Admits to Installing Remote-Access Software That Made Elections Vulnerable to Hackers

In April, the nation’s top voting machine company wrote a letter to Sen. Ron Wyden (D-OR) admitting that the company had installed remote-access software on election-management systems between 2000 and 2006. The company, Election Systems and Software, wrote that it “provided pcAnywhere remote connection software … to a small number of customers” which could have compromised the integrity of the machines and the elections they were used in.

Despite ES&S admitting to the wrongdoing, they denied the remote connection software in February when a spokesperson said, “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.” The election management systems are not the actual voting booths that voters use to cast their ballots. Instead, the systems are installed in county election offices. The systems program the voting booth machines and count the votes before producing a final result. The installation of remote-access software on these machines makes them vulnerable to hacking.

Following the letter, Wyden called ES&S’s decision to install the remote-access software “the worst decision for security short of leaving ballot boxes on a Moscow street corner.” Unfortunately, he was right, and in 2012 a hacker posted some of the source code online and in turn, the distributor of pcAnywhere Symantec was forced to tell the public that it had been stolen by hackers in 2006. If a hacker gains access to source code, they can search for security flaws where they could enter the system.

Following the hacking, in 2007 ES&S added an addendum to the contract which read, “ES&S technicians can use pcAnywhere to view a client computer, assess the exact situation that caused a software issue and to view data files.” Once the public was informed of the hacking in 2012, Symantec warned users to pull the plug on the system. Around the same time, they discovered a vulnerability in pcAnywhere that would allow a hacker to control any system that had the software. The chief technologist for the Center for Democracy and Technology said:

[I]t’s very unlikely that jurisdictions that had to use this software … updated it very often. Meaning it’s likely that a non-trivial number of them were exposed to some of the flaws found both in terms of configuration … but also flaws that were found when the source code to that software was stolen in 2006.

It is still not clear if election officials that were using pcAnywhere ever fixed the situation. In the letter to Wyden, ES&S defended pcAnywhere. claiming that at the time of installation the software was “considered an accepted practice by numerous technology companies, including other voting system manufacturers.”

However, the letter leaves important questions unanswered such as how many counties across the nation installed remote-access software, how many of those were ES&S customers and whether or not hackers actually had an impact on elections due to the software. Wyden’s office has reached out to ES&S asking them to identify all of it’s customers that had pcAnywhere installed. The company has yet to respond, but they did claim that customers who had the software installed “no longer have this application installed.” In the letter, ES&S also claimed they would meet privately with Wyden to discuss “election security” however, when asked to attend a hearing on election security last week the company declined. Wyden said:

ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” he told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cyber security questions, you have to ask what it is hiding.